Perhaps you followed the dramatic headlines in May as the U.S. Department of Veterans Affairs came to grips with the fact that it had lost a laptop (that has since been recovered) with personal information on 26.5 million veterans and active-duty soldiers, potentially exposing them to identity theft.
Since then, you might have overlooked the missing New York state government laptop with 540,000 names. Or the Federal Trade Commission laptops with 110 names. Or the Ernst & Young Global Ltd. laptop with 243,000 names. Or the YMCA of Greater Providence, R.I., laptop with 68,000 names. Or the Equifax Inc. laptop with 2,900 names. Or the ING Groep NV laptop with 13,000 names. Or the Internal Revenue Service laptop with 291 names. Or the Ahold USA Inc. laptop with an undisclosed number of names. And those were just some cases that surfaced in June.
Yet technology is available that would allow the words laptop and security to be spoken in the same breath without triggering gales of cynical laughter. Securing laptops generally depends on either Internet tracking, “kill switches” or encryption — or, more commonly, a combination of the three.
Absolute Software Corp. offers a service called Computrace, through which subscribers’ laptops connect with an Internet server once a day. If a machine is reported stolen, it will be told to start checking in every 15 minutes the next time it connects to the server, explains Les Jickling, marketing manager at the Vancouver, B.C.-based vendor. Using various databases, its IP address will be matched to a street address. The next knock on that door may be the police arriving to recover the machine.
Thomas Schuetz, president of MDx Medical Management Inc., a consulting firm in Windsor, N.Y., signed up for the Computrace service in November 2005 to keep track of 20 laptops. Two months later, his own laptop went missing.
“I sent the Computrace people a copy of the police report, but the machine did not start polling the Internet until the end of March, from a location in Florida,” Schuetz says. “The recovery team contacted me in early April. They had tracked it to Yonkers and then to downtown Manhattan, where it settled into one IP address, a person’s home. They were able to watch what was being done with the laptop and asked me if I knew that person. They offered to erase the hard disk remotely, but I would have had to reconstruct certain things, so I said no.”
After the laptop was seized, Schuetz went to the precinct headquarters to pick it up, and everything was intact, he says. The person from whom the laptop was recovered now faces charges of possessing stolen property.
“The service would be worth twice what it costs us, and we recommend to our doctor clients that they get this service,” he says.
By special arrangement, links to Computrace are contained in the BIOS chips of Hewlett-Packard, Gateway, Lenovo Group, Dell and Fujitsu laptops so that even reinstalling the operating system will not stop the machines from reporting in, Jickling says. Pricing for the full Computrace service starts at US$128.95 per unit for three years. A consumer version, called LoJack for Laptops, is priced at $49.99 for one year.
Meanwhile, CyberAngel Security Solutions Inc. in Nashville offers a combination of encryption and tracking. The CyberAngel system creates an encrypted partition on the hard drive, and anyone who boots the system but gives the wrong password will be able to use the machine but will not see the encrypted partition, says CyberAngel spokesman Bradley Lide. While an unsuspecting thief uses the machine, the laptop will start sending out tracking pings in the background.
“We got the CyberAngel service when we first started getting laptops two years ago and have needed it twice,” says Jodea Johnson, a systems administrator at Douglas County Hospital in Alexandria, Minn.
Johnson says she chose the service because she liked the encryption it offered and the likelihood that a thief would not be aware of it. Also, the price seemed right — $62.60 per three-year license for organizations buying coverage for 100 to 500 devices.
It took about six weeks before the first missing laptop started transmitting and the police could recover it, while the second one took less than a week, Johnson says.
Kill switches, along with encryption, are the weapons of choice of Beachhead Solutions Inc. in Santa Clara, Calif. When a machine using Beachhead’s Lost Data Destruction service connects with the server after it has been reported stolen, the service begins erasing preselected files, overwriting them multiple times to preclude file recovery, says Jeff Rubin, Beachhead’s vice-president of marketing. Lost Data Destruction can also trigger other stunts to make the stolen machine unusable, such as eternally rebooting it.
Machines with the service periodically go through a checklist, noting things such as whether they have been booted up using legitimate access controls. If they haven’t, they can launch procedures in order to thwart illicit use, Rubin says.
Single-user pricing is $129 a year.
“Tracking is a great idea if you are concerned about the hardware, but a $1,500 laptop is no big deal compared to the damaged reputation that could result from a breach,” says Corey Jenrich, IT manager at Community Bankin Pasadena, Calif. He uses Beachhead’s product for his bank’s 80 machines. He has never had one stolen and so has never used the kill switch. In the meantime, Jenrich uses the automated encryption facilities that the Beachhead software also offers.
“We could have just rolled out the Encrypting File System on Windows XP, but we thought it put too much reliance on the end user to put the right files in an encrypted folder, and if the laptop gets into the wild, I can’t prove that a given file was encrypted,” he says. With Beachhead, all files with user-specified extensions will be encrypted. Jenrich also says he likes the way the software can delete files and close down the computer even if it never connects online again.